[Snort-users] Alerts not Detected during Import?

Dusty Hall halljer at ...8709...
Thu Jun 26 09:00:03 EDT 2003

We are experiencing a problem with Snort not reporting Alerts that we
have in our rules files.  Here's some background:

We copy our Snort tcpdump logs from our sniffer to our MySQL/ACID
system and then import the tcpdump logs into ACID/MySQL.  From the looks
of our alert files the Specific alerts were detected by our sniffer but
not by Snort on our DB box.  So what I'm trying to ask is, does the
tcpdump log files from our sniffer box have all detected alerts in
tcpdump format that were sniffed on the wire?  Is there enough
information from the tcpdump files from our sniffer to process again and
pull out the same alerts?  Here's the steps we use: (Yes we have
identicial rules on both systems and both have the same version of

  snort.conf output snip -> "output log_tcpdump: snort-log"

  /usr/local/bin/snort -c /usr/local/snort/etc/snort.conf -D -b -o -i
eth1 -A fast


DB Import:

  snort.conf output snip -> "output database: alert, mysql, user=snort
password=xxxxxxx dbname=snort host=localhost"

  /usr/local/bin/snort -N -dve -c /usr/local/snort/etc/snort.conf -l
/usr/local/snort/logs -dr

Note: After I run the import and look at the newly created "alert"
file, it is much smaller than the "alert" file from our sniffer.  

Any help would be greatly appreciated.  I'm open to new ways of doing



More information about the Snort-users mailing list